Starting with MOVEit Automation 2025.1, Single Sign-On (SSO) is now supported for both new installations and upgrades.

SSO enables users to access MOVEit Automation without repeatedly entering their username and password. Once users are authenticated through their organization's network or corporate credentials, they can access MOVEit without signing in again.

MOVEit Automation supports integration with third-party identity providers; applications that verify user identities and issue authentication responses. In this setup, MOVEit acts as the service provider, relying on the identity provider to confirm user credentials.

MOVEit Automation supports authentication via OpenID Connect (OIDC) and has been tested with the following Identity Providers:
  • Microsoft Entra ID (formerly Azure AD)
  • Active Directory Federation Services (ADFS)
  • Okta
Other OIDC-compliant providers are not explicitly validated but are expected to be compatible with the MOVEit Automation authentication framework.

To enable SSO in MOVEit Automation, you must first configure your chosen identity provider. The SSO setup requires specific information from the identity provider, which must be gathered in advance.

This configuration enhances security and simplifies the log on experience by centralizing user authentication.

SSO log on options

MOVEit Automation offers three configurable options for SSO:
  • Enable Single Sign-On (SSO) with OIDC

    To use Single Sign-On (SSO), you must have a pre-configured Identity Provider. Authentication is processed by the Identity Provider.

  • Enable Username/Password Sign-On

    MOVEit Automation authenticates the user with the provided credentials.

  • Hide Username/Password Sign-On option on Login Page

    If selected, only SSO will be available as an option on the login page, even if Username/Password Sign-On is enabled. Select this option to allow Web Admin users to authenticate via SSO, while retaining support for username/password credentials for programmatic access, such as API.

SSO process for MOVEit Automation Web Admin users

  1. On the MOVEit Automation log on page, the user selects Log in with SSO.
  2. The user is redirected to their chosen identity provider's logon page to authenticate.
  3. The user authenticates with their identity provider, which may include multifactor authentication if configured.
  4. After successful authentication, the identity provider issues a token containing the user's groups, username, and on-prem SID.
  5. MOVEit Automation receives the token, validates it, and extracts the required claims.
  6. MOVEit Automation checks the user's on-prem SID and group membership against its access control (for example, MOVEit admin group or resource groups).
  7. If the user is authorized, web admin generates a new access token and the user is logged on; if not, access is denied.